Supported Platforms
Understanding Analyzers on EX9200 Switches
Mirroring might be needed for traffic analysis on a switch because a switch, unlike a hub, does not broadcast packets to every port on the destination device. The switch sends packets only to the port to which the destination device is connected. You can use analyzers to facilitate analyzing traffic on your Juniper Networks EX9200 Ethernet Switch on a packet level. You can configure an analyzer to mirror bridged packets (Layer 2 packets). To mirror routed packets (Layer 3 packets), you can use a port-mirroring configuration in which the family statement is set to inet or inet6. You might use analyzers as part of monitoring switch traffic for such purposes as enforcing policies concerning network usage and file sharing and for identifying sources of problems on your network by locating abnormal or heavy bandwidth usage by particular stations or applications.
Mirrored packets can be copied to either a local interface for local monitoring or a VLAN for remote monitoring. The following packets can be copied:
- Packets entering or exiting a port—You can mirror packets entering or exiting ports, in any combination, for up to 256 ports. For example, you can send copies of the packets entering some ports and the packets exiting other ports to the same local analyzer port or analyzer VLAN.
- Packets entering or exiting a VLAN—You can mirror the packets entering or exiting a VLAN to either a local analyzer port or to an analyzer VLAN. You can configure multiple VLANs (up to 256 VLANs), including a VLAN range and private VLANs (PVLANs), as ingress input to an analyzer.
- Policy-based sample packets—You can mirror a policy-based sample of packets that are entering a port or a VLAN. You configure a firewall filter to establish a policy to select the packets to be mirrored. You can send the sample to a port-mirroring instance or to an analyzer VLAN.
This topic describes:
Analyzer Overview
You can configure an analyzer to define both the input traffic and the output traffic in the same analyzer configuration. The input traffic to be analyzed can be either traffic that enters or traffic that exits an interface or VLAN. The analyzer configuration enables you to send this traffic to an output interface, instance, next-hop group, or VLAN. You can configure an analyzer at the [edit forwarding-options analyzer] hierarchy level.
Statistical Analyzer Overview
On an EX9200 switch, you can define a set of mirroring properties, such as mirroring rate and maximum packet length for traffic, that you can explicitly bind to physical ports on the router or switch. This set of mirroring properties constitute a statistical analyzer (also called a nondefault analyzer). At this level, you can bind a named instance to the physical ports associated with a specific Flexible Port Concentrator (FPC).
Default Analyzer Overview
On an EX9200 switch, you can configure an analyzer without configuring any mirroring properties, such as mirroring rate or maximum packet length. By default, the mirroring rate is set to 1 and the maximum packet length is set to the complete length of the packet. These properties are applied at the global level and need not be bound to a specific FPC.
Mirroring at a Group of Ports Bound to Multiple Statistical Analyzers
On an EX9200 switch, you can apply up to two statistical analyzers to the same port groups on the switch. By applying two different statistical analyzer instances to the same FPC or Packet Forwarding Engine, you can bind two distinct Layer 2 mirroring specifications to a single port group. Mirroring properties that are bound to an FPC override any analyzer (default analyzer) properties bound at the global level on the switch. Default-analyzer properties are overridden on binding a second instance on the same port group.
Analyzer Terminology for EX9200 Switches
Table 1 lists some analyzer terms and their descriptions with regard to EX9200 switches.
Table 1: Analyzer Terminology
| Term | Description |
|---|---|
Analyzer | In a mirroring configuration on an EX9200 switch, the analyzer includes:
|
Analyzer output interface (Also known as monitor port) | Interface to which mirrored traffic is sent and to which a protocol analyzer application is connected. Note: Interfaces used as output for an analyzer must be configured under the ethernet-switching hierarchy level. Analyzer output interfaces have the following limitations:
|
Analyzer VLAN (Also known as monitor VLAN) | VLAN to which mirrored traffic is sent. The mirrored traffic can be used by a protocol analyzer application. The member interfaces in the monitor VLAN are spread across the switches in your network. |
Default analyzer | An analyzer with default mirroring parameters. In this configuration, by default, the mirroring rate is 1 and the maximum packet length is the length of the complete packet. |
Input interface (Also known as mirrored ports or monitored interfaces) | An interface on the switch that is being mirrored. Traffic that is either entering or exiting this interface is mirrored. |
LAG-based analyzer | An analyzer that has a link aggregation group (LAG) specified as the input (ingress) interface in the analyzer configuration. |
Local mirroring | An analyzer configuration in which packets are mirrored to a local analyzer port. |
Monitoring station | A computer running a protocol analyzer application. |
Analyzer based on next-hop group | An analyzer session whose configuration uses the next-hop group as the analyzer output. |
Port-based analyzer | An analyzer session whose configuration defines interfaces for both input and output. |
Protocol analyzer application | An application used to examine packets transmitted across a network segment. Also commonly called network analyzer, packet sniffer, or probe. |
Remote mirroring | Functions the same way as local mirroring, except that the mirrored traffic is not copied to a local analyzer port but is flooded to an analyzer VLAN that you create specifically for the purpose of receiving mirrored traffic. Mirrored packets will have an additional outer VLAN tag of the analyzer VLAN. |
Statistical analyzer (Also known as a nondefault analyzer) | You can define a set of mirroring properties that you can explicitly bind to physical ports on the switch. This set of analyzer properties is known as a statistical analyzer. |
VLAN-based analyzer | An analyzer session whose configuration uses VLANs for both input and output or for either input or output. |
Configuration Guidelines for Analyzers on EX9200 Switches
When you configure analyzers on EX9200 switches, we recommend that you follow certain guidelines to ensure that you obtain optimum benefit from mirroring. Additionally, we recommend that you disable mirroring when you are not using it and that you select specific interfaces for which packets must be mirrored (that is, select specific interfaces as input to the analyzer) in preference to using the all keyword option, which enables mirroring on all interfaces. You can also limit the amount of mirrored traffic by using statistical sampling, setting a ratio to select a statistical sample, or using a firewall filter. Mirroring only the necessary packets reduces any potential performance impact.
With local mirroring, traffic from multiple ports is replicated to the analyzer output interface. If the output interface for an analyzer reaches capacity, packets are dropped. Thus, while configuring an analyzer, you must consider whether the traffic being mirrored exceeds the capacity of the analyzer output interface.
Table 2 summarizes further configuration guidelines for analyzers on EX9200 switches.
Table 2: Configuration Guidelines for Analyzers on EX9200 Switches
Guideline | Value or Support Information | Comment |
|---|---|---|
Number of analyzers that you can enable concurrently. | 64–Default analyzers 2 per FPC–Statistical analyzer |
|
Number of VLANs and interfaces that you can use as ingress input to an analyzer. | 256 | |
Types of ports on which you cannot mirror traffic. |
| |
Protocol families that you can include in a analyzer. | ethernet-switching | Analyzer mirrors only bridged traffic. For mirroring routed traffic, use the port-mirroring configuration with family as inet or inet6. |
Packets with physical layer errors are not sent to the local or remote analyzer. | Applicable | Packets with these errors are filtered out and thus are not sent to the analyzer. |
Analyzer does not support line-rate traffic. | Applicable | Mirroring for line-rate traffic is done on a best-effort basis. |
Analyzer output on a LAG interface. | Supported | |
Analyzer output interface mode as trunk mode. | Supported | Mirrored packets are filtered on the basis of the VLAN classification of the trunk port and are tagged with their respective VLAN IDs. |
Egress mirroring of host-generated control packets. | Not supported | |
Configuring Layer 3 logical interfaces in the input stanza of an analyzer. | Supported | |
The analyzer input and output stanzas containing members of the same VLAN or the VLAN itself must be avoided. | Applicable | |
Support for VLAN and its member interfaces in different analyzer sessions | Not supported | If mirroring is configured, either of the analyzers is active. |
Egress mirroring of aggregated Ethernet (ae) interfaces and its child logical interfaces configured for different analyzers. | Not supported | |
